Hanging Up the Dual Hat

Organizing America’s Cyber Strategy and Bureaucracy

By Forrest Simpson


[dropcap]A[/dropcap]mericans are familiar with the weapons of modern warfare – armed drones, special operations troops, fighter jets, and more. They see them scattered throughout the front pages of newspapers, television news segments, and on their social media newsfeeds. However, one of the most significant and newest technologies used by the United States (US) military to execute missions and wars around the globe is something that is harder to represent physically: cyber weapons.

Existing in an abstract and undefined domain, cyber weapons have become increasingly prevalent. Yet the public’s understanding of these weapons has failed to keep up. Tucked away in nondescript buildings from Hawaii to Virginia, cyber warfare is difficult to describe and visualize. This lack of concreteness is why articulating the doctrine governing America’s cyber arsenal, as well as the organization of the entities that control it, is so crucial.

A range of groups and individuals, such as the Carnegie Endowment for International Peace’s Cyber Policy Initiative, Alex Gibney in his documentary Zero Days, and even the New York Times in a recent piece, have all pronounced the current difficulty in determining the scale of the response to a cyber attack on the United States.

However, the potential for any sort of coherent, public strategy for offensive US cyber operations is still in its infancy, partly because the US continues to refuse that it has or uses this capability. The most notable American offensive cyber operation to date is the “Stuxnet” virus, a program created by the US and Israel in order to destroy the systems of Iran’s clandestine nuclear program. Both countries still refuse to discuss or acknowledge their involvement in this endeavor.

While the US, like the international community, remains far away from a fully developed framework for the military use of the cyber domain, an important first step for the US should be separating the control of the National Security Agency (NSA) and the US Cyber Command (CYBERCOM).

The NSA, which was founded in 1952, has a mission of collecting signals intelligence (SIGINT), meaning gathering information through communications and electronic means. It is a combat support agency under control of the Department of Defense, yet operates not as a traditional military command but as an agency within the intelligence community.

CYBERCOM, on the other hand, operates under a strictly military command that is responsible for offensive cyber attacks and operations, as well as the defense and maintenance of military networks and communications. Currently, both CYBERCOM and the NSA are under the control of a single director, a four-star military flag officer. CYBERCOM relies on the NSA for use of their servers and systems to conduct their operations. This close working relationship, however, blurs the lines of responsibility between the intelligence-gathering and military aspects of US cyber capabilities.

A presidential commission published in 2013 launched in response to the leaks by Edward Snowden recommended to President Barack Obama that the roles of the NSA and CYBERCOM be clearly delineated. “NSA should be clearly designated as a foreign intelligence organization. Other missions…should generally be assigned elsewhere,” the commission recommended, adding that, “the head of the military unit, US Cyber Command, and the Director of NSA should not be a single official.”

President Obama ultimately decided to reject this recommendation. Nevertheless, a new group of officials, including the Secretary of Defense Ashton Carter and Director of National Intelligence James Clapper, are now again advocating for a separation of the two organizations.

While it may appear to be a superficial bureaucratic change, putting a civilian in charge of the NSA and divorcing it from the US Cyber Command would help to clarify the distinct missions of each organization and lead to more direct management and oversight. It may take decades before there are international treaties and agreements on the use of cyber weapons, but this concrete and immediate step of clarifying the institutional responsibility for American cyber capabilities is crucial in ensuring that they are used effectively and responsibly.


Forrest Simpson is a sophomore in Saybrook College who blogs about national security. You can contact him at forrest.simpson@yale.edu